Do Thumb Drives Make Your Business Vulnerable?

Karsten Nohl, and Jakob Lell, a pair of techs working out of Secure Research Labs, seem to have discovered a weakness before the hackers have. The good news is that no hacker has launched this sort of attack yet. The bad news is that now that the weakness has been discovered, attack is inevitable.

What Do We Have To Be On Guard Against Now?

USB connectivity is ubiquitous. Every day you probably use or interact with no less than half a dozen devices that connect to your system in this manner. In fact some of your computer’s internal components might be USB connected, or using the same protocols, without your even realizing it.

The thing that makes USB devices work is their firmware. That’s a bit of programming that lets the computer know what the device is and what it can do. The problem is that the firmware can be changed. The device can be reprogrammed and they don’t have any protections against that. So your thumb drive could be transformed into a thumb drive/ keystroke logger that sends a complete copy of every keystroke you type back to the person who wrote the software.

Your computer’s on-board camera could be reprogrammed to beam its signal to someone else’s computer. Same with the built in microphone, or virtually any other piece of equipment attached to your core computer. So far at least, the only way any of this is possible is if a hacker were to gain physical control over your machine or USB device. That is to say, in order to reprogram it, they’d actually have to physically take your thumb drive, reprogram it and then slip it back to you, so that the next time you plugged it into your computer, it would do whatever the hacker had intended for it to do.

Two Things To Consider

That’s a fairly serious limitation, so two things stand out here. First, your thumb drive doesn’t put you in any immediate risk, provided you keep track of it physically. Second, it’s just a matter of time before someone figures out how to reprogram them remotely. When that happens, it’s open season and nobody’s safe.

What Can Be Done?

From your perspective, not much. There’s no setting in any OS that can make a USB device check in with you before its firmware is updated, and even if there were odds are excellent that most people would turn such notifications off or simply ignore them.

It is possible that a layer of security can be built around each individual device, but this would add to their cost, and one of the selling points of USB devices is the fact that many of them are low cost and convenient. As we are discovering, however, there’s a price to be paid for that convenience. The question is, is that price too steep for you?

In the short run, there is a chance that someone could exploit this. In the longer term, expect to see added layers of security around each USB device sold, and possibly a solution at the OS level, which would seek to extend some kind of protection around any attached device. It’s also possible that virus scanning software can be updated with tables describing what various firmware should look like, and be able to scan for anomalies on USB devices, but that would be a massive undertaking, given the sheer size of the ecosystem.

The bottom line is that there aren’t going to be any quick and easy solutions here.